CVE-2025-23184

MEDIUM

Apache Cxf < 3.5.10 - Denial of Service

Title source: rule

Description

A potential denial of service vulnerability is present in versions of Apache CXF before 3.5.10, 3.6.5 and 4.0.6. In some edge cases, the CachedOutputStream instances may not be closed and, if backed by temporary files, may fill up the file system (it applies to servers and clients).

References (5)

[Mailing List] https://lists.apache.org/thread/lfs8l63rnctnj2skfrxyys7v8fgnt122

[Mailing List] http://www.openwall.com/lists/oss-security/2025/01/20/3

[Third Party Advisory] https://www.vicarius.io/vsociety/posts/cve-2025-23184-detect-apache-cxf-vulnerability

[Third Party Advisory] https://www.vicarius.io/vsociety/posts/cve-2025-23184-mitigate-apache-cxf-vulnerability

[Vendor Advisory] https://security.netapp.com/advisory/ntap-20250214-0003/

Scores

CVSS v3 5.9

EPSS 0.0011

EPSS Percentile 29.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Classification

CWE

CWE-400

Status published

Affected Products (2)

apache/cxf < 3.5.10

org.apache.cxf/cxf-core < 3.5.10Maven

Timeline

Published Jan 21, 2025

Tracked Since Feb 18, 2026